This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Lets Encrypt DST Root CA X3 Issue

Please read this article to fix Web Proxy issues that come up today with some LetsEncrypt sites:

Delete the expired CA from the CA store on the XG.

Solved our issues.

You will find the Warning in SYSTEM log, not WebProxy (strange...)

messageid="17917" log_type="Event" log_component="HTTPS" log_subtype="System" dst_ip="" message="HTTPS access is denied due to invalid server certificate. Disable "Block invalid certificates" from "Web -> General Settings -> HTTPS Decryption and Scanning" to access HTTPS site '">'" user_agent="Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0" status_code="403" sentbytes="0"

Would'nt this be something for proactive Hotfix installation by Sophos?

This thread was automatically locked due to age.
  • Hotfixes are not easy nor quick to develop as they require many Q&A processes to be involved. Also HF will mess up build numbers and backup/restore process etc.  Therefore this is not a good solution for such a change. 

    You could remove this CA by using Central Management. Simply remove the DST CA in your group and the Change will be pushed to all firewalls.